[Nagiosplug-devel] [ nagiosplug-Bugs-1985230 ] check_snmp does not allow " chars in cmdline

SourceForge.net noreply at sourceforge.net
Sat Mar 14 02:29:41 CET 2009


Bugs item #1985230, was opened at 2008-06-05 09:46
Message generated for change (Comment added) made by tonvoon
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1985230&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Argument proccessing
Group: CVS
>Status: Closed
Resolution: None
Priority: 7
Private: No
Submitted By: Jan Wagner (cyco_dd)
>Assigned to: Ton Voon (tonvoon)
Summary: check_snmp does not allow " chars in cmdline

Initial Comment:
The following Bugreport we got against our debian package:

snmpd can be queried for customized "extend"s.
A configured extend like
    extend avail_mem /usr/local/bin/check_avail_mem.pl
can be queried as
    snmpget -c public -v1 ds9 'nsExtendOutput1Line."avail_mem"'
    NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."avail_mem" = STRING: 749764

If you try to query this with check_snmp like
    check_snmp -H $HOSTADDRESS$ -C public -o 'nsExtendOutput1Line."syslog-idletime"'
this results into
    Could not open pipe: /usr/bin/snmpget -t 1 -r 5 -m ALL -v 1 -c public ds9:161 nsExtendOutput1Line."syslog-idletime"

Unfortuantely, check_snmp contains code in popen.c that does not allow any " chars in
the command line and bails out with above error.

I fixed this by commenting out the follwing block:

--- popen.c.old 2008-01-12 14:16:39.000000000 +0100
+++ popen.c     2008-01-12 14:16:54.000000000 +0100
@@ -133,8 +133,10 @@
        strcpy (cmd, cmdstring);

        /* This is not a shell, so we don't handle "???" */
+/*
        if (strstr (cmdstring, "\""))
                return NULL;
+*/

        /* allow single quotes, but only if non-whitesapce doesn't occur on both sides */
        if (strstr (cmdstring, " ' ") || strstr (cmdstring, "'''"))

You can track the bugreport via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460405

Thanks and kind regards, Jan.

----------------------------------------------------------------------

>Comment By: Ton Voon (tonvoon)
Date: 2009-03-14 01:29

Message:
Applied in git. Manually tested for an OID containing a double quote and
works as expected.

Thanks for John for his patch.

----------------------------------------------------------------------

Comment By: John A. Barbuto (jbarbuto)
Date: 2009-03-13 23:56

Message:
I just used the tests in t/check_snmp.t plus a few others more specific to
our environment.  Almost all of my extra tests, like the extend tests,
wouldn't necessarily work elsewhere.  About the only test you'd find
useful
to add is one of multiple OIDs:

$res = NPTest->testCmd( "./check_snmp -H $host_snmp -C $snmp_community -o
host.hrStorage.hrMemorySize.0,host.hrSystem.hrSystemProcesses.0 -w 1:,1: -c
1:,1:");
cmp_ok( $res->return_code, '==', 0, "Exit OK when querying hrMemorySize
and hrSystemProcesses"); 
like($res->output, '/^SNMP OK - \d+ \d+/', "String contains hrMemorySize
and hrSystemProcesses");



----------------------------------------------------------------------

Comment By: Ton Voon (tonvoon)
Date: 2009-03-13 22:04

Message:
Thanks John! I look through this now.

Out of interest, what tests did you run? Will add them into our test
scripts

----------------------------------------------------------------------

Comment By: John A. Barbuto (jbarbuto)
Date: 2009-03-13 21:14

Message:
tonvoon: I see, I thought you were referring to plugins/runcmd.c.  

I've attached a patch against the SVN trunk that changes check_snmp to use
lib/utils_cmd.c.  It's passed all the tests I've thrown at it, including
extend OIDs.  This wasn't a trivial patch, and my C foo isn't great, so
please modify as necessary.



----------------------------------------------------------------------

Comment By: Ton Voon (tonvoon)
Date: 2009-03-12 11:18

Message:
jbarbuto: Can you see the cmd_run and cmd_run_array in lib/utils_cmd.c?
This is also used in negate.c. The idea is that if you pass an array of
arguments, there will not be any shell expansion.

mechanyx: There may be quoting that is required at Nagios. If you use $ in
a command argument, you need to escape it with $$.

----------------------------------------------------------------------

Comment By: Richard Edward Horner (mechanyx)
Date: 2009-03-11 21:24

Message:
I'm not sure if this is related or not, but I had a similar problem with
check_snmp where the community string on a network device contained a
dollar sign ($). I was unable to get the check to run with that community
string. I apologize as I do not remember exactly what Nagios output when I
tried various methods of quoting or escaping it. I ended up changing the
community string on the device.

Thanks, Rich(ard)

----------------------------------------------------------------------

Comment By: John A. Barbuto (jbarbuto)
Date: 2009-03-11 20:34

Message:
I looked into writing a patch using the runcmd library, but I don't see
this function you're referring to.
np_runcmd_open() looks pretty similar to spopen(), with the same double
quotes restriction.

The old exec method of running external commands is deprecated, so I'd
really like to get extend working.

----------------------------------------------------------------------

Comment By: Ton Voon (tonvoon)
Date: 2009-02-20 00:11

Message:
I don't think this is a valid fix. Preferably check_snmp should be switched
to use the runcmd library instead, which has a function to pass a varg list
for the command to run, thereby avoiding shell quotation. 

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1985230&group_id=29880




More information about the Devel mailing list